Hello Rob

2016-05-12 0:06 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:
>
> Alexander Skwar wrote:

>> The WAF would then send username and password to FreeIPA (using LDAP)
>> and would need to get back, whether the combination was good or not.
>>
>> Is that scenario doable with FreeIPA and LDAP? Would anyone maybe even
>> know of some good howtos or links? Any gotchas, that we'd need to be
>> aware of?
>
>
> Yes it's possible, see http://www.freeipa.org/page/HowTo/LDAP
>

I created the user uid=system as shown in the howto. But my appliance
is having issues (so to say). I'm getting errors like this one:

[…]
2016-05-18 14:55:35,003 +0200 ERROR [CC:Eoyfcf1mV9E$]
[RC:7f0100-4094-2016.05.18_1255.33.733-001] audit:writeLog() - [AUDIT]
[USER_AUTH_FAILED_TECH] user="ask" logmsg="Authentication failed due
to a technical problem. Reason: '[SYSTEM] [ERR_INTERNAL_STATE] Invalid
internal state! Reason:
'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636'
/ cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636
/ javax.naming.AuthenticationNotSupportedException: [LDAP: error code
48 - Inappropriate Authentication]'"
2016-05-18 14:55:35,006 +0200 ERROR [CC:Eoyfcf1mV9E$]
[RC:7f0100-4094-2016.05.18_1255.33.733-001]
exception:logExceptionStackTrace() - [SYSTEM] [ERR_INTERNAL_STATE]
Invalid internal state! Reason:
'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636'
com.usp.sls.toolkit.error.SLSException: [SYSTEM] [ERR_INTERNAL_STATE]
Invalid internal state! Reason:
'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636'
    at com.usp.sls.ldap.adapter.LdapUtil.getSLSException(LdapUtil.java:410)
    at 
com.usp.sls.ldap.service.LDAPServiceWrapper.openContext(LDAPServiceWrapper.java:203)
[…]


Important parts here:

- [USER_AUTH_FAILED_TECH]
- javax.naming.AuthenticationNotSupportedException: [LDAP: error code
48 - Inappropriate Authentication]

I suppose, the "tech" user doesn't have the sufficient rights.

In the Howto, it says:

Note: IPA 4.0 is going to change the default stance on data from
nearly everything is readable to nothing is readable, by default. You
will eventually need to add some Access Control Instructions (ACI's)
to grant read access to the parts of the LDAP tree you will need.



What would be good ACIs to grant read access to
cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user?

Thanks again,


Alexander
-- 
=>        Google+ => http://plus.skwar.me         <==
=> Chat (Jabber/Google Talk) => a.sk...@gmail.com <==

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to